Bug 1107525 - Fix corner case of in-place debug mode bailout and SPS pseudo frame popping. (r=jandem)

2024-10-13 13:25:37 +00:00 · 2014-12-09 23:10:38 -08:00 · 2014-12-09 23:10:38 -08:00 · 9729dce1ba
commit 9729dce1ba
parent 7412acaf8c
4 changed files with 24 additions and 8 deletions
--- a/js/src/jit-test/tests/debug/bug1107525.js
+++ b/js/src/jit-test/tests/debug/bug1107525.js
@ -0,0 +1,9 @@
+// |jit-test| error: InternalError
+enableSPSProfiling();
+var g = newGlobal();
+g.parent = this;
+g.eval("new Debugger(parent).onExceptionUnwind = function () { hits++; };");
+function f() {
+    var x = f();
+}
+f();
--- a/js/src/jit/Bailouts.cpp
+++ b/js/src/jit/Bailouts.cpp
@ -181,7 +181,7 @@ uint32_t
 jit::ExceptionHandlerBailout(JSContext *cx, const InlineFrameIterator &frame,
                             ResumeFromException *rfe,
                             const ExceptionBailoutInfo &excInfo,
-                             bool *overrecursed)
+                             bool *overrecursed, bool *poppedLastSPSFrameOut)
 {
    // We can be propagating debug mode exceptions without there being an
    // actual exception pending. For instance, when we return false from an
@ -196,9 +196,8 @@ jit::ExceptionHandlerBailout(JSContext *cx, const InlineFrameIterator &frame,
    JitFrameIterator iter(jitActivations);

    BaselineBailoutInfo *bailoutInfo = nullptr;
-    bool poppedLastSPSFrame = false;
    uint32_t retval = BailoutIonToBaseline(cx, bailoutData.activation(), iter, true,
-                                           &bailoutInfo, &excInfo, &poppedLastSPSFrame);
+                                           &bailoutInfo, &excInfo, poppedLastSPSFrameOut);

    if (retval == BAILOUT_RETURN_OK) {
        MOZ_ASSERT(bailoutInfo);
--- a/js/src/jit/Bailouts.h
+++ b/js/src/jit/Bailouts.h
@ -209,7 +209,7 @@ class ExceptionBailoutInfo
 uint32_t ExceptionHandlerBailout(JSContext *cx, const InlineFrameIterator &frame,
                                 ResumeFromException *rfe,
                                 const ExceptionBailoutInfo &excInfo,
-                                 bool *overrecursed);
+                                 bool *overrecursed, bool *poppedLastSPSFrameOut);

 uint32_t FinishBailoutToBaseline(BaselineBailoutInfo *bailoutInfo);

--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@ -412,7 +412,7 @@ CloseLiveIterator(JSContext *cx, const InlineFrameIterator &frame, uint32_t loca

 static void
 HandleExceptionIon(JSContext *cx, const InlineFrameIterator &frame, ResumeFromException *rfe,
-                   bool *overrecursed)
+                   bool *overrecursed, bool *poppedLastSPSFrameOut)
 {
    RootedScript script(cx, frame.script());
    jsbytecode *pc = frame.pc();
@ -444,7 +444,8 @@ HandleExceptionIon(JSContext *cx, const InlineFrameIterator &frame, ResumeFromEx
            // to the stack depth at the snapshot, as we could've thrown in the
            // middle of a call.
            ExceptionBailoutInfo propagateInfo;
-            uint32_t retval = ExceptionHandlerBailout(cx, frame, rfe, propagateInfo, overrecursed);
+            uint32_t retval = ExceptionHandlerBailout(cx, frame, rfe, propagateInfo, overrecursed,
+                                                      poppedLastSPSFrameOut);
            if (retval == BAILOUT_RETURN_OK)
                return;
        }
@ -486,7 +487,8 @@ HandleExceptionIon(JSContext *cx, const InlineFrameIterator &frame, ResumeFromEx
                // Bailout at the start of the catch block.
                jsbytecode *catchPC = script->main() + tn->start + tn->length;
                ExceptionBailoutInfo excInfo(frame.frameNo(), catchPC, tn->stackDepth);
-                uint32_t retval = ExceptionHandlerBailout(cx, frame, rfe, excInfo, overrecursed);
+                uint32_t retval = ExceptionHandlerBailout(cx, frame, rfe, excInfo, overrecursed,
+                                                          poppedLastSPSFrameOut);
                if (retval == BAILOUT_RETURN_OK)
                    return;

@ -742,7 +744,8 @@ HandleException(ResumeFromException *rfe)
            bool invalidated = iter.checkInvalidation(&ionScript);

            for (;;) {
-                HandleExceptionIon(cx, frames, rfe, &overrecursed);
+                bool poppedLastSPSFrame = false;
+                HandleExceptionIon(cx, frames, rfe, &overrecursed, &poppedLastSPSFrame);

                if (rfe->kind == ResumeFromException::RESUME_BAILOUT) {
                    if (invalidated)
@ -764,6 +767,11 @@ HandleException(ResumeFromException *rfe)
                if (frames.more())
                    popSPSFrame = false;

+                // Don't pop the last SPS frame if it's already been popped by
+                // bailing out.
+                if (poppedLastSPSFrame)
+                    popSPSFrame = false;
+
                // When profiling, each frame popped needs a notification that
                // the function has exited, so invoke the probe that a function
                // is exiting.